magnuswatn

<#
.Synopsis
   Script som genererer en CSR for et SSL/TLS-sertifikat.
.DESCRIPTION
   Scriptet genererer en nøkkel og CSR på lokal maskin, for innsendelse til en CA.

   Som standard vil det genereres en RSA-nøkkel (2048 bits) som vil være eksporterbar
   og legges i LocalMachine-storen, men dette kan endres med -ECDSA, -CurrentUser og -NotExportable.

   Vær obs på at nøkkelen blir en såkalt "CNG-nøkkel", så noe eldre programvare kan

magnuswatn

#!/bin/env python3
"""
Script for å lage en ocsp-forespørsel med fødselsnummer-extension.

Brukes slik: ./create_ocspreq.py cert.pem issuer.pem ocsp_request

Støtter dessverre ikke signering av requesten, men openssl kan ta den biten, slik:

./create_ocspreq.py cert.pem issuer.pem - | openssl ocsp -reqin - -signer ./signcert.pem -signkey ./signkey.pem -reqout ocsp_request

magnuswatn

<#
Script that enables automatic rebinding of a renewed certificate in IIS.

Should create a scheduled task similar to the button in the IIS Manager.

Magnus Watn <[email protected]>
#>
$existingTask = (Get-ScheduledTask -TaskPath \Microsoft\Windows\CertificateServicesClient\ -TaskName IIS-AutoCertRebind -ErrorAction SilentlyContinue)

if ($null -ne $existingTask) {

magnuswatn

<# 
Quick script to decrypt and decode a SCEP request, for debugging.

The server certificate (and it's corresponding private key) needs to be
avaiable to the user running this.
#>

Add-Type -AssemblyName System.Security

function decodeNdesRequest ($request) {

magnuswatn

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.pem]
@="CERFile"
"Content Type"="application/x-x509-ca-cert"

magnuswatn

def get_ca_bundle():
    """Tries to find the platform ca bundle for the system (on linux systems)"""
    ca_bundles = [
        # list taken from https://golang.org/src/crypto/x509/root_linux.go
        "/etc/ssl/certs/ca-certificates.crt",                # Debian/Ubuntu/Gentoo etc.
        "/etc/pki/tls/certs/ca-bundle.crt",                  # Fedora/RHEL 6
        "/etc/ssl/ca-bundle.pem",                            # OpenSUSE
        "/etc/pki/tls/cacert.pem",                           # OpenELEC
        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", # CentOS/RHEL 7
    ]

magnuswatn

<#
Quick script to dump all the issued certs from a Active Directory Certificates Services server

Magnus Watn <[email protected]>
#>

$allCerts = certutil -view  -out rawCertificate

$counter = 0
For ($i=0; $i -le $allCerts.length; $i++) {

magnuswatn

# This iRule can be used to add support for the Certificate Transparency TLS extension to F5 Big-IP devices
# The SCT list must be generated manually, and the sct variable below updated
#
# To generate a SCT list, the Submit-CertToCT cmdlet from https://github.com/magnuswatn/Cert-Tools can be used
#
# Magnus Watn <[email protected]>

when RULE_INIT {
    set sct [b64decode APAAdwBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAAAV5Dgt9KAAAEAwBIMEYCIQCYgk4UXnDg3B1DLvsmaJtjFLjpdpE2xfRVBiUeE5MQVgIhALkAY37w2+ydiSf2VNNaYprD/Uqw8mIyQJWz7HahYExvAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFTb7OoKgAABAMARjBEAiB+LIypJ4JILb0EBg0NLK1Xjpu3/N4FuyAp7UPwkRKWMQIgbbLIrfh4WPdtDq5/DZXIxUMqXheCo8WdHaMKwTsW2/g=]
    # Be aware that since this is a static variable, several of these rules can't coexists on the same box withouth changing the name

magnuswatn

"""
A script to re-sign a certificate signing request

Can be useful if it has been tampered with,
e.g. by using the excellent DER ASCII tool
(https://github.com/google/der-ascii)

Magnus Watn <[email protected]>
"""